Companies Face Online Fraud, Other Security Threats

LOS ANGELES — A recent report from U.K. fraud prevention service CIFAS has found that one out of every five companies has been the victim of an online scam, underscoring a theme that many business owners have been grappling with — tough times bring out the worst in people.

Indeed, adult operators have long battled outright hacking attacks, as well as the dubious actions of shady billing, traffic and other companies, along with the notorious level of "friendly fraud" perpetrated by consumers seeking a chargeback in lieu of paying their legitimately incurred charges. But the threat levels to industry operators and all other businesses that use the Internet go beyond these issues.

The eye-opening news comes in the wake of data gathered in support of National Identity Fraud Prevention Week, which finds that a third of employees mishandle sensitive data, while 12 percent access the Internet from workplace network computers without using common security software.

Worse, however, than the increasing threat level, is the fact that many business owners are simply not aware of the threat, or consider themselves "too smart to be fooled by scammers" — findings which were highlighted in a survey of U.K. businesses by Equifax. In the report, the Equifax Commercial Team advises companies to stay on top of their credit reports, keeping an eye out for suspicious entries, and to know who they do business with — checking out new vendors and customers before doing business with them; an especially important issue for merchants that extend terms.

CIFAS was established in 1988, with members spread across the banking, credit card, asset finance, retail credit, mail order, insurance, savings and investments, telecommunications, factoring, and share dealing industries, among others. According to the group, its members "share information about identified frauds in the fight to prevent further fraud."

As part of the survey, respondents rated various types of fraud on a scale of one to 10. Online banking was seen as fairly risk free, ranking a 4.75; while credit card fraud was seen as being more of a problem, earning it a score of 7.2; which the report suggests may be due to the high profile of credit card fraud and its universal impact on both businesses as well as the individuals who run them.

The Federation of Small Businesses also contributed to the report, supplying data that indicates that during the past year, 54 percent of businesses were victimized by online scammers; while 37 percent reported problems with phishing emails; and 15 percent suffered from hacking and viruses.

"IT security shouldn't be seen as optional — putting in place an adequate strategy is far preferable to having to deal with the consequences of a breach," Imerja CTO and IT security specialist, Matt Hampton, said. "Indeed, in this difficult economy, a data breach may be the final straw for any size business, large or small."

Symantec's Pacific Region SMB Director, Steve Martin, agrees.

"With new security threats emerging every day, keeping computer networks safe and security measures up-to-date should be a priority for any business," Martin said. "But with around 46 percent of SMEs operating without dedicated IT staff, understanding the possible threats and having the ability to protect computer systems can be challenging."

According to Martin, the IT threat landscape has changed dramatically over the past few years, with a growing threat from organized cyber criminals seeking to access confidential business information and intellectual property; including an estimated 285 million data records stolen last year, which cost companies around $600 million worldwide. These attacks, Martin says, are becoming "far more sophisticated and stealthy, targeting specific SMEs to reap financial gain." Martin also cites a Washington Post article identifying Eastern European criminal gangs which are preying on small and mid-size companies in the United States, hoping to steal their banking credentials through the use of malware.

"Malware attacks have become increasingly subtle as new variants are developed," Martin said. "The worry for many small businesses is working out how to avoid these threats, which is not an easy task when detection is often difficult."

Phishing also is cited as another means by which criminals may gain sensitive information — and may do so simply by asking one of your employees nicely for the sought after information, such as a password.

"Phishers use spam, malicious websites, email messages and instant messages to trick people into divulging sensitive business information such as corporate passwords and customer records," Martin said. "With phishing attacks becoming commonplace, protecting confidential details is becoming increasingly difficult for business owners. Computers and personal mobile devices are connected in wider online networks, providing more opportunities for data to be attacked."

Martin advises business owners to take steps to protect their sensitive assets, such as investing in robust SME solutions, providing end-to-end protection of critical information, whether it is on a laptop, desktop, mobile device, server, in email, over the network, or in storage devices, and using up-to-date security software along with effective and accurate anti-spam protection.

"This is especially urgent given that Symantec last year observed a 192 percent increase in spam detected across the Internet, from 120 billion messages in 2007 to 350 billion in 2008," Martin said. "Recently, cyber-criminals capitalized on fears of the ‘swine flu' to attack users, at one point sending approximately one billion flu-related messages a day."

Martin also stresses the importance of employee education.

"No matter which security and back-up system is employed, the best policy is undoubtedly educating employees on the potential threats and encouraging them to take precautionary measures," Martin offered. "Simple precautions such as treating any email attachments from unknown senders with caution and ensuring any personal account information is not disclosed to unknown sources is absolutely vital."

"Requests to enter personal information should be treated with the upmost suspicion," he concluded. "Because this is the very data that cyber criminals and scammers are attempting to collect."